CNN just reported on a Jan 23 Intelligence Bulletin from the US Department of Homeland Security (DHS) that warned state and local governments and critical infrastructure operators about the risk of Russia hitting the US with cyber attacks in retaliation for a possible US or NATO response to a potential Russian invasion of Ukraine.
The agency said Russia could employ anything from denial-of-service attacks to more destructive ones aimed at disrupting critical infrastructure.
Specifically, CISA just highlighted a warning by Microsoft about malware focused on deleting the Master Boot Record of Windows devices that was being used in attacks on Ukrainian organizations.
CISA also put out a set of recommendations – particularly if your organization is working with a Ukrainian business or has an office in Ukraine– that includes steps to reduce the likelihood of attack, detection of potential intrusions, incident response should an attack occur, and a focus on being cyber resilient. CISA noted with concern: “The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure”.
Remember the 2017 NotPetya attack? In a report published by Wired, a White House assessment pegged the total damages brought about by NotPetya to more than $10 billion. This was confirmed by former Homeland Security adviser Tom Bossert, who at the time of the attack was the most senior cybersecurity focused official in the US government.
More recently, “58% of all cyberattacks from nation-states have come from Russia,” said Tom Burt, Microsoft corporate vice president.
The downtime caused by NotPetya was horrendous. Think your cybersecurity insurance might cover the cost? Not so fast. Some insurance companies cited “act of war” exclusions to try to avoid covering the NotPetya damage. This is now in the courts, and this WSJ article is great ammo to add to a budget request.
Cybersecurity has moved from IT to a CEO and board-level business issue
You did not sign up for this, but today it is abundantly clear that as an IT pro you find yourself on the front line of 21-st century cyber war. Cybersecurity has moved from IT to a CEO and board-level business issue. I strongly suggest you have another look at your defense-in-depth, and make sure to:
- Have weapons-grade backups
- Religiously patch
- Step your users through refresher security awareness training
Now that the new year has started and you need to comply with a raft of regulations, it’s a great time to schedule your users for a refresher awareness training module to keep them on their toes with security top of mind.
Original release date: January 27, 2022
The Federal Bureau of Investigation (FBI) has released a Private Industry Notification (PIN) that provides a historical overview of Iran-based cyber company Emennet Pasargad’s tactics, techniques, and procedures to enable readers to identify and defend against the group’s malicious cyber activities.
CISA encourages users and administrators to review FBI PIN: Context and Recommendations to Protect Against Malicious Activity by Iranian Cyber Group Emennet Pasargad and apply the recommended mitigations.
An elevation of privilege bug that could let a “mostly harmless” user give themselves a instant root shell
Dubbed PwnKit, it’s been sitting in a user policy module used in Linux distros for over a decade and can be used by anyone to gain root privileges. Here’s what you can do to protect your systems.
This blog was authored by Ankur Saini and Hossein Jazi
Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022.
In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme. We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin.
In this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub account for harmful content. More…
More than 3,600 network-attached storage (NAS) devices from Taiwanese company QNAP have been infected and had their data encrypted by a new strain of ransomware named Deadbolt.
Devices attacked by the Deadbolt gang are easy to recognize because the login screen is typically replaced with a ransom note, and local files are encrypted and renamed with a .deadbolt extension.
The threat actor behind the attacks is extorting not only the owners of the NAS devices but also the QNAP company itself.
According to a copy of the ransom note, device owners are told to pay 0.03 Bitcoin ($1,100) to receive a decryption key to unlock their files, while in an second note, the hackers demand 50 Bitcoin ($18.6 million) from QNAP to reveal details about the supposed zero-day vulnerability they have been using to attack its users. More…
According to an analysis released this week by Varonis, ALPHV is actively recruiting operators from several ransomware organizations — including REvil, BlackMatter and DarkSide — and is offering affiliates up to 90 percent of any ransom paid by a victim organization. more…
Free home PCR devices would be technological marvels, and really useful, too. But there aren’t any…